I think it depends on the release manager. We can upgrade it if needed.
Istvan Toth <st...@apache.org> 于2025年3月19日周三 16:17写道: > > Hi! > > I've recently run some static checkers on 2.5.11, and found a few CVEs in > thirdparty. > branch-2 still uses thirdparty 4.1.5, which is quite old. > > Is there a specific reason why thirdparty wasn't updated on branch-2.x ? > > If 4.1.6 is for some reason incompatible with branch-2, we should still > release something that fixes the CVEs on branch-2. (Maybe 4.1.5.x ?) > > Istvan
